The majority of the Android applications are lacking sufficient protections around the binary and therefore an attacker can easily trojanized a legitimate application with a malicious payloads. This is one of the reasons that mobile malware is spreading so rapidly in the Android phones.

In mobile security assessments attempts to trojanized the application under the scope can be useful as a proof of concept to demonstrate to the customer the business impact in terms of reputation if their application can be used for malicious purposes.

The process of injecting Metasploit payloads into android applications through the use of scripts has been already described in a previous post. This article will describe how the same output can be achieved manually.

Step 1 – Payload Generation

Metasploit MsfVenom can generate various forms of payloads and it could be used to produce an APK file which it will contain a Meterpreter payload.

Step 2 – Decompile the APK

Before anything else the target application and the pentestlab.apk that it has been generated previously must be decompiled. This can be achieved with the use of apktool. The following command will decompile the code and save it into .smali files

Step 4 – Injecting the Hook

Examining the Android manifest file of the application can help to determine which is the Main Activity that is launched when the application is opened. This is needed because the payload will not executed otherwise.

Identification of Main Activity

The following line which is inside in the Main Activity file needs must be replaced with the code below:

;->onCreate(Landroid/os/Bundle;)V

Identification of code to be replaced

The following line will just launch the metasploit payload alongside with the existing code when the activity starts.

Step 5 – Injecting the Application with Permissions

In order to make the injected payload more effective additional permissions can be added to the android manifest file of the application that will give more control over the phone if the user accepts them.

Adding Android Permissions

Step 6 – Recompile the Application

Now that both the payload and permissions have been added the application is ready to be compiled again as an APK file.

java -jar apktool.jar b /root/Downloads/original/

Building the Injected APK

Step 7 – Signing the APK

Applications cannot installed on the device if they are not signed. The default android debug key can be used: